COVID-19 Tracking App 'COVID Kaya' Leaks Data
A mobile app designed to serve as a Covid-19 case tracking platform, named 'COVID Kaya', was found to be insecure. The platform was used by doctors and healthcare workers to keep track of active Covid-19 cases in the Philippines.
Researchers discovered vulnerabilities and security holes in both the mobile application as well as its web interface. The flaws allowed potential bad actors to gain access to the personal information of health workers. Additionally, patient data could have been exposed too. The discovery was made by researchers with The Citizen Lab - a security-focused division of the University of Toronto.
The COVID Kaya platform was launched in the summer of 2020 and was designed to allow health workers in the Philippines to have immediate access to collective data about active Covid-19 cases and coordinate this information with the country's ministry of health. COVID Kaya had both iOS and Android versions, as well as an interface for web access.
The mobile applications were based on code ported out using Cordova - a development environment that allows export of web-focused applications to mobile devices.
The researchers from The Citizen Lab found vulnerabilities in both mobile versions of the application that would allow potential bad actors to access data that would normally require superuser login credentials. Two security vulnerabilities were reported by the researchers in the Android and web-based platforms and have since been patched by the COVID Kaya development team.
The web security flaw allowed unauthorized access to API endpoints and thus - unrestricted access to the names of thousands of health workers who were using the Kaya platform. The Android version had an issue with using hardcoded API credentials, which effectively allowed potential bad actors to access personal information of patients.
Thankfully, the flaws reported by The Citizen Labs have been patched and the potentially exploitable credentials have been disabled.
This is just another example of a data security issue connected with the Covid-19 pandemic, after numerous phishing campaigns, frauds, malware strains and mobile scams that were somehow exploiting the global situation.